Me and a few collegues at work recently got our hands on an old machine , which we used to setup debian linux on and run a discourse(discussion platform) server. The guy who installed the OS and the server then gave the rest of us the lowest possible trust level at which you can do almost nothing and challenged us to elevate our accounts to admins.
The first thing I did was compile a list of all the passwords we used at work and use this for a ssh dictionary attack against his account with hydra, which worked. Then I ran into a bit of a problem. His account wasn't enough to do what I needed, so I tried running the same dictionary attack against the root account. When this didn't work, I tried an actual complete wordlist which took a few days to run, and still no success.
In the end I was able to guess the password and complete his challenge just because I knew the guy well enough and could predict what he would think of. What still bugs me, trough, is that when I tried to run hydra with a wordlist consisting of the the correct password I had found and a few others, it still failed. I also noticed that you couldn't ssh into the machine as root@ipadress with the correct password, either, almost as if the root account is disabled. When you login normally, however, and the use su with this password, it works, and your user is shown as root@machine:, so it is indeed the root account.
My question is this: How would run a brute force / dictionary attack against the root account on a machine such as this, which doesn't allow direct login as root?